Insecure Design is a newer category of risk that debuted in 2021 as #4 on the list of OWASP Top 10 threats. It is a very broad category that covers a range of design flaws that result in missing or ineffective controls. In their introduction of this risk, OWASP stresses that because defects in design cannot be fixed by rigorous implementation, secure development lifecycles are essential when designing new apps.
But here’s the catch: Existing apps may not have been developed with secure development lifecycles in mind. They may have designed-in weaknesses and flaws such as error messages that contain sensitive data and insufficiently protected data or credential storage. Until these apps can be redesigned, securing them is essential.
To illustrate the risk posed by Insecure Design, Chase Cunningham – Dr. Zero Trust — subjects the fictional Juice Shop that he created on the HyperQube test platform to yet another attack. In a short demo, he manipulates the source code to change session storage values and the tokens that the application uses. Ericom Web Application Isolation (WAI), an innovative cloud-delivered security solution that isolates web/cloud applications and their APIs from cyber-threats, provides controls and policies that can secure apps immediately, as soon as a design flaw is uncovered. In this case, that means blocking session storage data visibility from prying eyes – and itchy trigger fingers.